Security Lessons from the UK

Europeans, and Brits specifically, handle security differently than do the Yanks. Understanding why and how can help give both sides new ideas.

But Turnbull, in common with much British regulation and law, "is far less prescriptive than equivalent American legislation," says Peter Howes, an independent consultant who is closely linked with the British Standards Institution and who has coauthored several of its compliance guides. The British regulatory environment, he says, "tends to tell you what to do but not how to do it." British regulations simply say what must be achieved; American rules often go on to specify the means of compliance. Howes proffers an example: the American Securities Exchange regulations 17A3 and 17A4, which govern communications between brokers and their customers. Until very recently, these rules mandated that such communications must be recorded on write-once optical media, since amended to "unchangeable media." The equivalent British requirements, from the Financial Services Authority, simply mandate that they must be kept secure for a specific (varying) period of years.

It's the same with the Data Protection Act, adds Wilkinson. "The key word in the legislation is appropriate," he says. "It's up to the individual company to decide what is appropriate, having taken into account all the relevant circumstances. The act doesn't pretend to tell you what measures you should take or how you should comply."

Despite the wide-ranging legislation with which they must comply, British CSOs are far from regarding their regulatory burden as onerous. Many, such as John Meakin, group head of information security at London's Standard Chartered Bank, which operates in 55 countries around the globe, now feel that the United Statesnot the United Kingdomoffers a tougher regulatory regime for CSOs. At root, the cause is events such as 9/11 and the Enron collapse, he says. "In both cases, the U.S. has reacted by passing sweeping legislation," he notes. The result? A few years back, Meakin felt that his U.K. operations were more regulated than those in the United States. "Now," he says, "there's been a change."Metrics Go EastIf security-related legislation is headed west across the Atlantic, a new focus on the ROI of security is headed the other way, prompting British CSOs to press for metrics to prove their worth. "It's the major change that we've seen from our perspective as a supplier," says John Holland, London-based vice president of U.S.-headquartered security vendor Cybertrust. "We're getting asked questions we were never asked before. There's a real thrust towards better measurement, and better demonstration of value, in order to justify spend on security."

It's a trend that can play into the hands of smart CSOs. When Bill Pepper, director of security risk management at Computer Sciences Corp.'s (CSC) British headquarters in Aldershot, joined the company six years ago, he used improved cost-effectiveness as a justification for pulling together CSC's previously separately managed security strandsinformation security, physical security and personnel securityinto a single security function under his own aegis. Although CSC is an IT services company, Pepper's responsibilities are internally focused.